Good content is sometimes not enough, the users must reach it so they can see it's good!

Password requirements

Posted: May 14th, 2009 | Author: | Filed under: Good practices, Usability fail | Tags: , , , | 3 Comments »

Let’s face it! People use the same passwords on every site where they need an account. More exactly their email and computer login password 🙂 You’ll be amazed how many of the users have only one password. It’s a bad thing but that’s how it is.

A while ago a friend of mine wrote on his blog about sites which demand a certain number of chars, demand to use both numbers and letters and even one of the weird signs on the number keys. Putting a maximum limit on the number of chars is plain stupid.

Please! don’t make users come up with a different password than they already use. Chances are they already use a password with more than 6 chars (due to restrictions allover the place). If you make the user invent a password with #$%^, he’s going to forget it. Then, he would have to recover/reset it – things that generates errors and frustration.


3 Comments on “Password requirements”

  1. 1 Luiz Esmiralha said at 2:37 pm on June 8th, 2009:


    that’s good advice only if you are providing generic, personal, “harmless” services to your customers, like blogs and picture albums. Stuff that don’t impact revenue. Services that demand security need a stronger password policy.

  2. 2 Jacob Wyke said at 5:08 am on July 26th, 2009:

    Totally agree with you on this one, I hate sites that force me to include a mixture of numbers and uppercase letters as it makes it no more stronger if you already have a long password.

    Yes a 6 letter (a-z) password is less secure than than a 6 letter (a-zA-Z0-9) password, but not as strong as a 10+ letter (a-z) one.

    I’m personally just waiting for more sites to start asking for passphrases so that they become common enough that users understand them and don’t get confused.

  3. 3 Simon said at 2:57 pm on February 6th, 2010:

    @Jacob – Wrong, ‘newyorkcity’ is less secure than Pus9I34 in every way, teh first is not only open to dictionary attacks it also has fewer combinations.

    @adrian – Putting a maximum limit on a pasword is not stupid, putting a vey small one is, but putting some sort of maximum on is sensible.

    As for making users use different characters, tough, users are the first to complain if their account gets hacked, but then when a users use “1234” or “password” for their accoutn what do they expect, unfortuantely some users need to be saved from their own stupidty.

Leave a Reply